X-Content-Type-Options feature

2012-06-28 20:33:09 +09:00 · 2012-06-28 20:33:09 +09:00 · 6610ecd8c4
parent 03bde982fd
commit 6610ecd8c4
2 changed files with 25 additions and 2 deletions
--- a/rack-protection/lib/rack/protection/xss_header.rb
+++ b/rack-protection/lib/rack/protection/xss_header.rb
@ -12,10 +12,15 @@ module Rack
    # Options:
    # xss_mode:: How the browser should prevent the attack (default: :block)
    class XSSHeader < Base
-      default_options :xss_mode => :block
+      default_options :xss_mode => :block, :nosniff => true

      def header
-        { 'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}" }
+        headers = {
+          'X-XSS-Protection' => "1; mode=#{options[:xss_mode]}",
+          'X-Content-Type-Options' => "nosniff"
+        }
+        headers.delete("X-Content-Type-Options") unless options[:nosniff]
+        headers
      end

      def call(env)
--- a/rack-protection/spec/xss_header_spec.rb
+++ b/rack-protection/spec/xss_header_spec.rb
@ -21,4 +21,22 @@ describe Rack::Protection::XSSHeader do
    mock_app with_headers("X-XSS-Protection" => "0")
    get('/').headers["X-XSS-Protection"].should == "0"
  end
+
+  it 'should set the X-Content-Type-Options' do
+    get('/').header["X-Content-Type-Options"].should == "nosniff"
+  end
+
+  it 'should allow changing the nosniff-mode off' do
+    mock_app do
+      use Rack::Protection::XSSHeader, :nosniff => false
+      run DummyApp
+    end
+
+    get('/').headers["X-Content-Type-Options"].should be_nil
+  end
+
+  it 'should not override the header if already set X-Content-Type-Options' do
+    mock_app with_headers("X-Content-Type-Options" => "sniff")
+    get('/').headers["X-Content-Type-Options"].should == "sniff"
+  end
 end